LinuxQuestions.org
Visit Jeremy's Blog.
Go Back   LinuxQuestions.org > Forums > Other *NIX Forums > *BSD
User Name
Password
*BSD This forum is for the discussion of all BSD variants.
FreeBSD, OpenBSD, NetBSD, etc.

Notices


Reply
  Search this Thread
Old 08-13-2021, 04:53 AM   #1
Rajasekhar Bhumireddy
LQ Newbie
 
Registered: Sep 2015
Posts: 1

Rep: Reputation: Disabled
Lightbulb FQDN in Packet Filter


I want to restrict access to specific public domain names form my machine.

For achieving this, I am providing fully qualified domain names in packet filter rule.

for example

pass out on <interface> inet from <myip> to example.com
pass in on <interface> inet from example.com to <myip>

What I understood from the OpenBSD's user guide is "A fully qualified domain name that will be resolved via DNS when the ruleset is loaded. All resulting IP addresses will be substituted into the rule"

I have few queries from this,

1. IPs are substituting into rule while loading ruleset, what if there is a change in IP of the domain name after loading ?

2. Is this FQDN option in pf rule only for static IPs?

3. Does it considering IP dynamicity of domain name?
 
Old 08-13-2021, 07:37 AM   #2
jggimi
Member
 
Registered: Jan 2016
Distribution: None. Just OpenBSD.
Posts: 239

Rep: Reputation: 109Reputation: 109
For PF, domain resolution occurs at rule loading time ONLY. And if the rules are being loaded during boot by rc(8), a domain name server may not yet be available to the OS. In that case, resolution must come from a hosts(5) file rather than a server. For HTTP/HTTPS traffic, the better solution is relayd(8). There's an example of blocking a social media website in the relayd.conf(5) man page.
Quote:
Originally Posted by Rajasekhar Bhumireddy View Post
1. IPs are substituting into rule while loading ruleset, what if there is a change in IP of the domain name after loading ?
There will be no change to the rule(s) created at load time.
Quote:
2. Is this FQDN option in pf rule only for static IPs?
Yes.
Quote:
3. Does it considering IP dynamicity of domain name?
No.
 
1 members found this post helpful.
Old 08-13-2021, 09:32 AM   #3
jggimi
Member
 
Registered: Jan 2016
Distribution: None. Just OpenBSD.
Posts: 239

Rep: Reputation: 109Reputation: 109
Two additional points on domain resolution.
  1. If during resolution there are both IPv4 and IPv6 addresses resolved -- both A and AAAA records returned by DNS or both IPv4 and IPv6 addresses in hosts(5) -- there will be two rules created internally for PF: one each for IPv4 and for IPv6.
  2. If the domain resolves to multiple addresses, then a temporary table is loaded with the addresses for each rule.
As an example, a rule written as
Code:
pass in from yahoo.com
will produce two internal rules with two temporary tables, as shown in the output from `# pfctl -sr`, since yahoo.com resolves to a pool of IPv4 addresses and a pool of IPv6 addresses:
Code:
pass in inet6 from <__automatic_311a83f5_0> to any flags S/SA
pass in inet from <__automatic_311a83f5_1> to any flags S/SA

Last edited by jggimi; 08-13-2021 at 09:43 AM.
 
  


Reply


Thread Tools Search this Thread
Search this Thread:

Advanced Search

Posting Rules
You may not post new threads
You may not post replies
You may not post attachments
You may not edit your posts

BB code is On
Smilies are On
[IMG] code is Off
HTML code is Off



Similar Threads
Thread Thread Starter Forum Replies Last Post
Dansguardian - Won't filter new addresses added to filter list TechnoBod Linux - Software 1 01-08-2008 01:40 AM
A packet filter using libipq which uses ether type field to capture the packet can26_manish Programming 2 10-16-2007 05:35 AM
Packet Filter to redirect a packet to a user level process akawale Linux - Networking 3 09-01-2006 12:06 PM
Spam filter to external mail filter deadlock Linux - Software 1 06-16-2004 02:28 AM
Network Packet Filter vs ipchains Nephlite Linux - Networking 1 02-04-2002 03:16 AM

LinuxQuestions.org > Forums > Other *NIX Forums > *BSD

All times are GMT -5. The time now is 09:05 PM.

Main Menu
Advertisement
My LQ
Write for LQ
LinuxQuestions.org is looking for people interested in writing Editorials, Articles, Reviews, and more. If you'd like to contribute content, let us know.
Main Menu
Syndicate
RSS1  Latest Threads
RSS1  LQ News
Twitter: @linuxquestions
Open Source Consulting | Domain Registration